Until May of 2021, most Americans had probably never heard of the Colonial Pipeline. But the largest pipeline in the country was front-page news for weeks when operations ceased because of a ransomware attack perpetrated by Russian hackers. Under normal operations, the pipeline provides 50% of the petroleum on the East Coast. The effects of the shutdown were quickly felt across the economy, with higher gas prices and long lines not seen at East Coast pumps since the 1970s.
The details of the hack and the subsequent $4.4 million payment made by Colonial are, by now, well known. While certainly not the first (or last) cyberattack on U.S. energy infrastructure, the incident highlighted something causing growing concern among energy sector leaders and the federal government. Our cyber enemies are getting more sophisticated and growing more daring. The nation’s energy sector needs a cybersecurity upgrade to protect itself from these attacks.
Read our blog post, “How Can Generative AI Be Used in Cybersecurity?”
Bold cyber-attacks exploit vulnerabilities
As the digital world develops, it brings a growing number of people and organizations looking for ways to exploit digital vulnerabilities. Perpetrated either by nation-states or groups of hackers known as hacktivists, these cybercriminals are often politically or financially motivated, or sometimes both.
Without a doubt, data theft, billing fraud, ransomware, and even distributed denial of service (DDOS) attacks are on the rise across all sectors of the economy. Experts predict cybercrime will cost the world $10.5 trillion by 2025, up from $3 trillion in 2015. Our nation’s critical energy infrastructure won’t be immune. According to a recent report, data breaches cost the energy industry alone $4.65 million per incident.
Why the energy sector is vulnerable to cyber-attacks
The energy sector is, by its very nature, decentralized and complex. A utility’s infrastructure could be spread out over hundreds of miles, and while managing utility-controlled sites is one thing, energy companies must now consider consumer devices. For example, electric vehicle charging stations and grid-connected home solar systems can both create vulnerabilities by unwittingly providing bad actors access to the grid. Even utility-owned smart meters could be vulnerable to data breaches.
Adding to the complexity of the physical system is the fact that many utilities are running legacy technology that was designed for a more genteel time, cyber-wise. Getting support for those older systems can be challenging. While utilities may want to update and overhaul their systems to address cyber threats, those efforts will have a steep price tag – one that regulators may not be willing to pass on to consumers.
Resilience and defense
Fortunately, help is on the way in the form of funding from the newly passed Infrastructure Investment and Jobs Act (IIJA).
The IIJA includes more than $2 billion earmarked for cybersecurity innovation and resiliency. This amount includes $550 million devoted to developing grid infrastructure resiliency and creating the technology necessary for the energy sector to detect and respond to cyber threats. Another $500 million is set aside to study and address cyber threats and vulnerabilities to our drinking water infrastructure. This funding should go a long way in jumpstarting the cybersecurity efforts of the U.S. energy infrastructure.
Interested in more information about cybersecurity? Learn how PCI manages these threats and request slides from our “Evolving Cybersecurity Threats & Challenges to Public Power”
webinar.
